It’s being a while since i’ve last written anything at all.
Today i’ll go through quickly an interesting mac OSX signed sample that collected user’s privacy information and uploaded to a third-party server.
Surprisingly no AV flagged this.
The collected information are shown below:
QQ, Weixin, Mobile, Email, AppList, CPU, RAM, Mac Address, Public IP, Private IP, etc
[ Sample used in the analysis ]
[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A” 292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2
As this is a Mac App, let’s take a look at the Mach-O inside it.
One thing to take note is that Mach-O binary has a series of headers that are used to perform certain operations when a binary is loaded.
On particular thing which i’m usually interested in is “LC_LOAD_DYLIB”
“LC_LOAD_DYLIB” header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time.
The image shows that the Mach-O loads two dynamic library files libcJFishPoolHook.dylib and libXMindHook.dylib
Let’s load libcJFishPoolHook.dylib to IDA Pro or Hopper.
Immediately after the Mach-O is loaded in IDA Pro , we can see this.
This confirm that this particular application is trying to get the following information from the unspecting user.
QQ, Weixin, phone number, email, OS, CPU type, RAM, MAC address, Public/Private IP address, user name, application list, device ID, Information, etc
If we were to look deeper, we can see that the application will upload all these information to “http://dataapi.makeding.com:27169/index.php/DataApi/data”
For those who have done forensics on QQ before, We can also see that in “getContact”, this application is trying to steal users’ contacts in QQ by accessing the data at
Another thing we can find while auditing the binary, we can see that all the data which are being exfiltrated are AES encrypted and the password is “iMdpgSr642Ck:7!@” without the double quotes as shown below.
From how i see this from a static analysis point of view, the person behind this probably took legit apps and added “Extra Features” to it.
But why is it sending data back to “makeding[.]com”
Based on the name of the developer’s name, i’ve found more apps that this developer have “pushed” out other apps with “Extra Features”
The following are the hashes by this Developer.
It’s almost 3am here. I’ll just end this abruptly and let you all have phun analysing this.